Following on from some earlier work on OpenBSD's "hardened" malloc, in 2007/2008 I spent some time reverse engineering Windows Vista's much vaunted heap implementation. I found several way to write a heap exploit that targetted heap structures instead of application chunks, and ended up doing a Blackhat presentation about this in 2008:
Attacking the Vista Heap
Given that it's almost universally easier to find some useful application specific memory to overflow, the question I most often receive about this presentation is: so, uh, has anyone ever written an exploit using these techniques?
- firstname.lastname@example.org (@benhawkes)